7 steps to set up IoT toys for security
Internet of Things (IoT) toys are popular gifts for kids, but so-called “smart” toys are also notorious for their poor security. Here are 7 steps to set up IoT toys for better security and privacy:
Understand the risks
Before you can secure something, you have to understand what can go wrong with it. With IoT toys, there are several issues:
If a toy connects to the Internet, your child’s data is being transferred and stored on a company’s servers. This can include personal details, images, and voice recordings. If that data isn’t well-secured, it can be lost in a data breach.
Many toys rely on Bluetooth to work. If the manufacturers have done a poor job of securing their product, a bad actor nearby could access your child’s toy or even use it to communicate with your child.
Some toys require your child to create an account. Others have companion mobile apps. In either case, you’ll have to think about the usual data collection and sharing issues that you would with any other service or app.
Lastly, there’s a practical market consideration. IoT is hot, and lots of companies are eager to release smart products. Unfortunately, not all of them know what they’re doing! There are a quite a few IoT toy manufacturers who treat cybersecurity as an afterthought — or who just aren’t very good at it. Always keep in mind that this is the tech landscape you’re dealing with.
Research the toy and its manufacturer
The next step is to do your due diligence.
Look up the manufacturer and the specific model of toy. Read the online product reviews. Look for obvious red flags: a litany of user complaints, or news stories about the company’s previous privacy lapses.
You can also check to see if the toy has been reviewed by privacy experts already. Mozilla Foundation, for example, offers a service called “*privacy not included”. It’s a searchable database of popular technology products along with detailed information about their privacy standards.
Depending on what you discover, you may conclude that it’s simply not possible to set up this IoT toy for security. If that’s the case, just exchange your child’s gift for something safer. We realize that this is hard conversation to have, but it’s better than giving your child something that could harm their privacy or security.
Read the manual and EULA
Assuming you haven’t found anything too alarming in your research, the next step is to read what the manufacturers have to say about their product. If the company is really security-savvy, they will offer detailed information about the toy’s security and privacy settings. But if not, you’ll probably have to do a bit of digging on your own.
First of all, read the manual to see how the toy works, and to determine how the default settings can be changed. This will help you to understand which of the risk factors discussed above are in play, and how you can take steps to make the toy more secure.
In addition, read the company’s EULA and the companion app or website’s privacy policy if possible. If you’re using an iOS app, check out the app’s Privacy Label in the App Store. You want to find out as much as you can about how your child’s data is going to be handled. Pay special attention to data collection, storage, sharing, and resale policies.
Change default usernames, passwords, and settings
A major issue in IoT security is that smart devices frequently ship with default usernames and passwords. That’s a problem, because the bad guys can easily look these up online. If they know the specific model of the IoT device that they’re attacking, they’ll try to log in using the factory defaults. Unfortunately, many people never change these, which means that the hackers are often successful!
Whenever possible, change an IoT toy’s default username and password. Try to pick a username that doesn’t contain identifying personal details like a family name or street address. For passwords, the basic best practices apply: use a strong, unique password just like you would for any other account.
You should also check if it’s possible to change the default connection settings. Many smart toys are set up to automatically connect to any Bluetooth-capable device or Wi-Fi network within range. But this can be a security issue, so see if it’s possible to disable the functionality and restrict connections to trusted devices or networks only.
If it’s possible to receive automatic updates for the IoT toy, set this up as well. Realistically, the makers of your kid’s smart toy aren’t going to be pushing out security updates as regularly as Apple and Microsoft do. But when they do issue a patch, you want to make sure that you get it. Automatic updates are your best bet here.
Limit the data you share
Try to limit the amount of data that your child will be sharing with the toy’s manufacturers.
If a toy can do any kind of location tracking, disable the feature if you can. There’s no real upside in allowing an IoT toy to collect a kid’s location data, and a lot that can go wrong.
If you’re setting up an account for your child, don’t provide any personally identifiable information that you don’t have to. This could mean using a first name only, skipping phone number fields when they’re not required, or using a “burner” email address that you only use for setting up new accounts.
Here’s the guiding principle to keep in mind: If a company has your child’s data, that company can lose your child’s data. This can happen via a data breach — or if the company decides to sell the data on to third parties. The solution is to give them as little data as possible, or information that is less harmful if leaked (e.g. your office phone number instead of your child’s mobile number; a throwaway email address instead of your child’s personal email address). Remember that setting up IoT toys for security is often a matter of what you don’t do!
Be camera and microphone aware
Some IoT toys have cameras and microphones. That’s OK, but it does raise the stakes when you bring one of these things into your home. If it’s not secure, a smart teddy bear with a camera is just a very cute surveillance device.
If your child’s toy has a camera or microphone, be aware of the privacy implications, and the take appropriate precautions. Turn the toy off when it’s not being used. Make sure your home Wi-Fi network is locked down. And if the camera and microphone aren’t truly essential to the toy’s functionality, consider turning them off altogether.
Secure your home network
As you’ve probably noticed by now, IoT devices aren’t terribly secure. If you’re going to bring one onto your home Wi-Fi network, then you need to make sure the network itself is secure.
The most important thing is to protect your network with a strong password. In addition, take some basic steps to make life harder for a potential hacker. Use a strong encryption protocol (WPA2 or WPA3) for your network. Change the name of your home network so that it doesn’t give away any information about the brand of router you’re using or your identity. In other words, don’t call your network “Linksys-EA9500”, “Cook_Family_Home”, or anything like that!
If you’re fairly comfortable with router tech, you might also consider setting up a completely separate WiFi network for your IoT devices. This can be done by using two different routers, or by setting up a virtual network on your existing router.
Follow the tips above to make sure your kid’s IoT toy is as secure as possible. If you have questions about a topic or issue you didn’t see addressed in this guide, ask away! We’re always glad to hear from readers, and to answer security and privacy questions on our weekly podcast, The Checklist.